Español | English
rss facebook linkedin Twitter

Sonae IM and S21sec strengthen their position in the European cybersecurity market through the acquisition of SysValue.

The acquisition means that Sonae Investment Management (IM) now holds the leading position in Portugal, as the largest pure play cybersecurity entity, and is able to leverage significant synergies between Grupo S21sec Gestión and SysValue.

Sonae Investment Management (IM) has today confirmed its acquisition of SysValue, a cybersecurity services company with key strengths in Auditing, Consulting, Integration, Training and R&D, and a distinctive presence in the Telecom, Financial Services, Energy and Government sectors.

This acquisition, following the Grupo S21sec, transaction in September of 2014, is yet another important milestone in the execution of Sonae IM´s European cybersecurity market leadership and international expansion strategy. More specifically, the company now establishes itself as the clear pure play leader in the Portuguese market.

According to Carlos Alberto Silva, Board Member at Sonae IM, “We are proud of this latest development to strengthen our cybersecurity portfolio, as we believe there is a clear market opportunity for a focused player that has the added benefit of scale. SysValue represents a significant asset to us in Portugal and also at a wider regional level. We will continue seeking organic and inorganic growth opportunities.

João Barreto, Founder and Chairman of the Board of SysValue, echoes these sentiments, “Becoming part of Sonae IM’s cybersecurity strategy is the result of 14 years of dedication to information security and teaming up with S21sec is an opportunity to elevate the delivery of cybersecurity services to unparalleled levels of expertise and sophistication. A broader service offering, the go-to-market of SysValue’s R&D initiatives and the delivery of services internationally will be immediate benefits stemming from this deal.

The integration of SysValue into Sonae IM´s portfolio will also allow the extraction of significant synergies involving the pooling of knowledge and expertise in Technical Delivery and R&D resources, establishment of common back-office structures, alignment of go-to-market strategies, consolidation of positions in key accounts and plenty of cross-selling opportunities.

When thinking about the synergies, Pedro Leite, Chief Delivery Officer and VP Portugal at S21sec, says, “With the acquisition of SysValue, we strengthen our position in the Portuguese market with a team of highly specialized and experienced cybersecurity professionals. As the country´s market leader, we want to contribute to the development of the cybersecurity sector in Portugal and we believe that we have the right team to make it happen.

Sonae IM will be able to further leverage its portfolio companies´ Government sector relationships and activities to reinforce its proactive EU strategy to strengthen the region´s robustness and preparedness when facing cybersecurity incidents. Through S21sec, Sonae IM has the Presidency of the European Cybersecurity Group (ESCG), an alliance of 5 leading European pure play companies.



Yesterday we saw how Europol published a press release announcing the detention of approximately 700 muleteers all over Europe last February.

These are key operations as they directly affect monetizing of fraud and require participation by international banks, police, security corps and companies for them to take place.

We have been investigating the use of mules in bank frauds since the 21st century, more specifically the operation of bank malware that calls itself ATS. This abbreviation corresponds to the term, Automated Transfer System, and its aim is to act as an automated interface to connect bank Trojans to muleteers captured by the "mule herder.

 interior de un ATS mostrando las conexiones provenientes de la Botnet

Although this has been a very popular attack in recent years, it is in no way new as we have internal records of its use since at least 2011. The fraud process generally consists of the following steps:

1. The user is infected by malware. This normally occurs through a social engineering attack received by mail or during involuntary browsing of an infected web page with an exploit kit.

2. The infected user enters the legal web page of its normal bank and is deceived by the use of social engineering.

3. The deceived user makes the transfer. The malware then connects to the ATS panel which, according to user data, selects a muleteer out of those it has captured to perform the transaction.

4. After performing the transfer, the malware can act in different ways as determined by the cybercriminal: self-elimination, eliminate the operating system or continue as if nothing had happened, falsifying data visible to the user itself.

The graph below shows a general outline of the process.

One of the tasks performed on a daily basis in the department when investigating and analyzing botnets is to check whether the associated malware is able to perform attacks using ATS.

As a result of these analyses, we detected over 150 or so different mules in 2015, prepared to receive transfers made by infected users. The main malware families using these mules were kins, tinba, xswit, pykbot, urlzone and dridex. 

An example of this can be seen below in the location of the muleteers used by tinba botnets.

For us, it is a real challenge to share our work and cooperate with the police and government security companies to try and neutralize and capture all those involved in these fraud schemes, so we are proud to see press releases like the one shown by Europol.

Today, we can be pleased with the work we have done and tomorrow, we will have to detect the 700 mule accounts that are no doubt already being prepared.

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved